circle-ir-ai 2.8.3 → 2.8.5

package/CHANGELOG.md

@@ -5,6 +5,84 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.8.5] - 2026-06-09
+
+### Fixed
+
+- **#84: CWE-Bench-Java runner produced 2 unrecoverable JSON parse
+  errors with `gemma3:12b`** (and any other local Ollama model) on
+  the 2026-06-09 run. Root cause turned out to be two distinct bugs
+  in `benchmarks/runners/run-cwe-bench-java.ts`:
+
+  **(1) Deterministic context overflow on large files (#118
+  rocketmq).** The Ollama `/v1/chat/completions` (OpenAI-compat)
+  endpoint defaults to `num_ctx=8192` — much smaller than the
+  model's native context window. `AdminBrokerProcessor.java`
+  (2655 lines, ~35K tokens) filled the entire prompt buffer,
+  leaving exactly 1 token for the response ("Okay"). The parser
+  then logged `No JSON found in response`.
+
+  Repro confirmed with `num_ctx∈{8192,16384}` → `eval_count=1`,
+  `num_ctx∈{32768,49152}` → `eval_count≈630`, valid array of 5
+  entries.
+
+  Fix: the runner now sets `options.num_ctx=32768` for any
+  `localhost:11434` / `127.0.0.1:11434` base URL. Honors
+  `LLM_OLLAMA_NUM_CTX` override for users with smaller VRAM or
+  models that don't support 32K (rare). 32K covers every file
+  in CWE-Bench-Java; gemma3:12b / qwen3-coder:30b / llama3 all
+  support 32K natively in <10GB VRAM.
+
+  **(2) Transient temp=0 stochasticity on tiny files (#109
+  spring-security).** `DefaultHttpFirewall.java` is 68 lines and
+  the parse error did NOT reproduce on 3 fresh repro attempts —
+  diagnosed as KV-cache / batch-grouping non-determinism that
+  surfaces at ~1% rate even with `temperature=0`.
+
+  Fix: added a single retry on any JSON parse failure
+  (`PARSE_ERR_ARRAY`, `PARSE_ERR_OBJECT`, `NO_JSON`). One retry
+  is sufficient because the failure is non-deterministic; a
+  second consecutive failure indicates a real prompt/model
+  problem worth recording as `parseError` in stats. Adds at
+  most ~1% extra LLM calls in the worst case, ~0 in the
+  common case.
+
+  Together these fixes should drop gemma3:12b's failure rate
+  from 2/109 (1.8%) to ~0/109. Smoke-tested on #118 only —
+  full re-run will happen on next benchmark cycle.
+
+  New env var: `LLM_OLLAMA_NUM_CTX` (integer, defaults to
+  32768). Only consulted when the LLM base URL is local
+  Ollama.
+
+## [2.8.4] - 2026-06-09
+
+### Fixed
+
+- **#72: benchmark runners ignored externally-set env vars (e.g.
+  `LLM_ENRICHMENT_MODEL`).** Symptom: `LLM_ENRICHMENT_MODEL=gpt-oss-120b
+  npm run benchmark:cwe` silently used whatever value was in the local
+  `.env` instead — masking LLM uplift in CWE-Bench-Java runs and
+  producing static-only numbers when the user had explicitly requested
+  an LLM model on the command line.
+
+  Root cause: 4 benchmark runners loaded `.env` via `dotenv.config()`
+  with its default `override: true` behavior, so `.env` clobbered any
+  pre-existing `process.env` value (the opposite of POSIX
+  precedence).
+
+  Fix: pass `{ override: false }` in all four call sites:
+  - `benchmarks/runners/run-cwe-bench-java.ts`
+  - `benchmarks/runners/run-all-benchmarks-parallel.ts`
+  - `benchmarks/instruction-safety/run-benchmark.ts`
+  - `benchmarks/skills/run-skills-benchmark.ts`
+
+  External env vars (CLI invocation, exported shell vars) now win;
+  `.env` is consulted only for keys not already set. `circle-pack`'s
+  `src/api/server.ts` is intentionally left as-is — different threat
+  model (production REST server where `.env` is the canonical config
+  source).
+
 ## [2.7.19] - 2026-05-28
 
 ### Versioning policy

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.8.3",
+  "version": "2.8.5",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",